Some services require Kerberos credentials when they start to make connections to other services or need to use them when they have started.
The easiest way to get tickets for a service is to store the key in a keytab. Both ktutil get and kadmin ext can be used to get a keytab. ktutil get is better in that way it changes the key/password for the user. This is also the problem with ktutil. If ktutil is used for the same service principal on several hosts, they keytab will only be useful on the last host. In that case, run the extract command on one host and then securely copy the keytab around to all other hosts that need it.
host# ktutil -k /etc/krb5-service.keytab \ get -p lha/admin@EXAMPLE.ORG service-principal@EXAMPLE.ORG lha/admin@EXAMPLE.ORG's Password:
To get a Kerberos credential file for the service, use kinit in the --keytab mode. This will not ask for a password but instead fetch the key from the keytab.
service@host$ kinit --cache=/var/run/service_krb5_cache \ --keytab=/etc/krb5-service.keytab \ service-principal@EXAMPLE.ORG
Long running services might need credentials longer then the expiration time of the tickets. kinit can run in a mode that refreshes the tickets before they expire. This is useful for services that write into AFS and other distributed file systems using Kerberos. To run the long running script, just append the program and arguments (if any) after the principal. kinit will stop refreshing credentials and remove the credentials when the script-to-start-service exits.
service@host$ kinit --cache=/var/run/service_krb5_cache \ --keytab=/etc/krb5-service.keytab \ service-principal@EXAMPLE.ORG \ script-to-start-service argument1 argument2